Audit Report on the Development and Implementation Of the Housing Preservation and Development Information System

AUDIT REPORT IN BRIEF

We performed an audit on the development and implementation of the Housing Preservation and Development Information System (HPDInfo). The system has become a multi-module system with a central repository of information on private and City-owned residential properties and registered property owners, as well as information on tenant correspondence and complaints, violations, repair work, demolitions, and vendor payment status. Our audit also covered enhancements to the initial system.

HPDInfo met the Department’s initial business and system requirements; the system design allowed for future enhancements and upgrades, and the Department generally complied with the City Charter and relevant Procurement Policy Board Rules when procuring services, equipment, and software for the system. In addition, the system met the overall goals as stated in the original system justification. However, the Department did not follow a formal system methodology. Moreover, since development and implementation of the system’s expanded scope is not complete, we do not know whether the revised goals in the system justification will be met.

In addition, our user satisfaction survey revealed that 57 percent of the respondents stated that they would like to see changes made to HPDInfo. Moreover, the Department provided no acceptance-testing certificates for any of the completed modules, and it used the same individuals both to develop the system and to serve as quality assurance consultants. Also, the system does not control log-in access of inactive users, it does not require that users change their access passwords, and it is not equipped with an automatic lockout feature. Finally, the Department does not have procedures in place to ensure that security violations are recorded, documented, and reviewed.

To address these issues, we recommend that the Department:

• Develop and follow a formal systems development methodology for the completion of HPDInfo and for all future system development projects.
• Develop formal acceptance-sign-off procedures.
• Engage an independent quality-assurance consultant to monitor and review development work and any system enhancements or subsequent work on HPDInfo.
• Ensure that user concerns are addressed.
• Develop written policies and procedures to terminate inactive user identifications (IDs). In addition, the Department should immediately terminate the access of those individuals who are no longer employed by the agency. Furthermore, the Department should review the status of the inactive users and terminate access as appropriate.
• Have its personnel department immediately advise the Technology and Strategic Development Division (Division) of those employees leaving or terminated from the Department. The Division should promptly delete those accounts from the system.
• Develop written policies and procedures for password-security control.
• Install a lockout feature that automatically disables access to the system after a predetermined number of unsuccessful log-in attempts.
• Establish formal procedures to document and report system-access violations, and review and follow up on all reported access violations.